icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

PHP 5.6.x < 5.6.25 / 7.0.x < 7.0.10 Multiple Vulnerabilities

High

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.6.x prior to 5.6.25 and 7.0.x prior to 7.0.10 are vulnerable to the following issues :

- An uninitialized memory use flaw exists in the 'openssl_seal()' method. This may allow a remote attacker to potentially execute arbitrary code. (OSVDB 133980) - A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 134035) - A flaw exists related to certificate validation in the 'ftp_ssl_connect()' function. The issue is due to the server hostname not being verified to match a domain name in the 'Subject's Common Name' (CN) or 'SubjectAltName' field of the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (OSVDB 142594) - An overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code. (OSVDB 143095) - A flaw exists in the 'object_common2()' function in 'ext/standard/var_unserializer.c' that is triggered when handling objects during unserialization. This may allow a remote attacker to potentially execute arbitrary code. (OSVDB 143096) - An integer overflow condition exists in the 'php_snmp_parse_oid()' function in 'ext/snmp/snmp.c'. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code. (OSVDB 143100) - An integer truncation flaw exists in the 'select_colors()' function in 'ext/gd/libgd/gd_topal.c' that is triggered when handling the number of colors. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code. (OSVDB 143101) - An integer overflow condition exists in the 'sql_regcase()' function in 'ext/ereg/ereg.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143102) - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered during the handling of Base64 binary values. This may allow a remote attacker to cause a denial of service. (OSVDB 143103) - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c'. This may allow a remote attacker to cause a denial of service. (OSVDB 143104) - An integer overflow condition exists in the 'php_base64_encode()' function in 'ext/standard/base64.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143105) - A NULL pointer dereference flaw exists in the 'php_wddx_deserialize_ex()' function in 'ext/wddx/wddx.c' that is triggered during the handling of invalid XML content. This may allow a remote attacker to cause a denial of service. (OSVDB 143106) - An integer overflow condition exists in the 'php_quot_print_encode()' function in 'ext/standard/quot_print.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code. (OSVDB 143107) - A use-after-free error exists in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 143108) - A flaw exists in the 'php_ftp_fopen_connect()' function in 'ext/standard/ftp_fopen_wrapper.c' as it may silently downgrade to regular FTP even if a secure method has been requested. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the FTP communication. (OSVDB 143109) - A flaw exists in the 'php_wddx_process_data()' function in 'ext/wddx/wddx.c' that is triggered when deserializing invalid dateTime values. This may allow a remote attacker to cause a crash. (OSVDB 143110) - A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered when handling TIFF image content. This may allow a remote attacker to disclose memory contents. (OSVDB 143111) - An integer overflow condition exists in the 'php_url_encode()' function in 'ext/standard/url.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143112) - An integer overflow condition exists in the 'php_uuencode()' function in 'ext/standard/uuencode.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143113) - An integer overflow condition exists in the 'bzdecompress()' function in 'ext/bz2/bz2.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143114) - An integer overflow condition exists in the 'zend_mm_realloc_heap()' function in 'Zend/zend_alloc.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (OSVDB 143115) - An array indexing flaw exists in the 'imagegammacorrect()' function in 'ext/gd/gd.c' that is triggered when handling negative gamma values. This may allow a remote attacker to write a NULL to an arbitrary memory location, causing a crash or potentially allowing the execution of arbitrary code. (OSVDB 143116) - An integer overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long escaped strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 143117) - A flaw exists in 'ext/session/session.c' that is triggered when handling session names. This may allow a remote attacker to inject arbitrary data into sessions. (OSVDB 143118)

Solution

Upgrade to PHP version 7.0.10 or later. If 7.x cannot be obtained, 5.6.25 has also been patched for these vulnerabilities.